React
react.dev › blog › 2025 › 12 › 03 › critical-security-vulnerability-in-react-server-components
Critical Security Vulnerability in React Server Components – React
There is an unauthenticated remote code execution vulnerability in React Server Components.
OX Security
ox.security › blog › react-cve-2025-55184-67779-55183-react-19-vulnerabilities
React Vulnerabilities Strike Again: Denial Of Service & Information Leakage in Patched Versions of React2Shell - OX Security
December 12, 2025 - CVE-2025-55184 and CVE-2025-67779 enable denial of service attacks, while CVE-2025-55183 exposes backend source code, potentially leaking API keys and secrets. Organizations that patched for React2Shell are still vulnerable and must update ...
Critical Vulnerabilities in React and Next.js: everything you need to know - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js
Feels like having all the behind the scenes magic and hidden endpoints isn't the best approach to build robust solutions. Devs should define all open endpoints and expose them as part of routing configuration. More on reddit.com
82
236
December 3, 2025React 19 RCE vulnerability - can we stop pretending modern frameworks are automatically more secure?
Sir, this is a Wendy’s. More on reddit.com
12
0
January 27, 2026What is the newly disclosed React Server Components vulnerability (CVE-2025-55182)? How serious is it for Next.js apps?
There’s a vulnerability that would allow an attacker to run malicious code against server based components. Update to the appropriate specified version asap. They are intentionally not disclosing details. Just upgrade to the latest version and you’ll be fine. More on reddit.com
49
38
December 4, 2025Critical Security Vulnerability in React Server Components
Expo is not affected since nothing is server side rendered. The vulnerability here is that someone can execute code on your server to, for example, extract the whole database. Native apps on a phone are client side apps, anything shipped in an application should be considered public. Same applies to expo-web, which run client side in a browser. More on reddit.com
6
5
December 5, 2025Videos
07:31
React’s Worst Vulnerability Ever (RCE Exploit Explained) - YouTube
08:44
React HACKED - Initial review and incident summary - YouTube
11:14
Next.js & React vulnerability will break the internet - YouTube
10:02
React Got Hacked Again (this is bad) - YouTube
03:57
React.js shell shocked by 10.0 critical vulnerability… - YouTube
12:22
Everyone's Talking About This React Exploit - YouTube
Microsoft
microsoft.com › home › defending against the cve-2025-55182 (react2shell) vulnerability in react server components
Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components | Microsoft Security Blog
December 15, 2025 - The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads.
Medium
medium.com › @jitendrakhilar609 › react-19-vulnerability-explained-8333eeee1961
React 19 Vulnerability Explained. Recently, a critical security… | by Jitendra Khilar | Medium
December 7, 2025 - Official Link — https://nextjs.org/blog/CVE-2025-66478 · React 19’s Server Components vulnerability was serious, but most apps are safe if you’re on React 18 or Next.js 13/14.
Wiz
wiz.io › blog › critical-vulnerability-in-react-cve-2025-55182
React2Shell (CVE-2025-55182): Critical React Vulnerability | Wiz Blog
December 3, 2025 - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182, this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization.
React
react.dev › blog › 2025 › 12 › 11 › denial-of-service-and-source-code-exposure-in-react-server-components
Denial of Service and Source Code Exposure in React Server Components – React
These vulnerabilities are present in the same packages and versions as CVE-2025-55182. This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of:
Trend Micro
trendmicro.com › en_us › research › 25 › l › critical-react-server-components-vulnerability.html
Critical React Server Components Vulnerability CVE-2025-55182: What Security Teams Need to Know | Trend Micro (US)
December 5, 2025 - Next.js (15.0.5+, 15.1.9+, 15.2.6+, ... if possible, and deploy WAF rules. The risk is severe: data breaches, ransomware, compliance penalties, and business disruption are all possible. Organizations using React.js 19.x or Next.js ...
GitHub
github.com › facebook › react › security › advisories › GHSA-fv66-9v8q-g76r
Critical Security Vulnerability in React Server Components
December 3, 2025 - There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
Palo Alto Networks
unit42.paloaltonetworks.com › cve-2025-55182-react-and-cve-2025-66478-next
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
December 12, 2025 - Cortex Cloud provides comprehensive ASPM capabilities to rapidly identify the reach of CVE-2025-55182 and CVE-2025-66478 across your application landscape. Through real-time SBOM visibility, security teams can instantly query their software ...
Reddit
reddit.com › r/reactjs › critical vulnerabilities in react and next.js: everything you need to know - a critical vulnerability has been identified in the react server components (rsc) "flight" protocol, affecting the react 19 ecosystem and frameworks that implement it, most notably next.js
r/reactjs on Reddit: Critical Vulnerabilities in React and Next.js: everything you need to know - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js
December 3, 2025 - They said Next.js: 15.0.5+ is patched, does that mean you're safe if you're using that version or higher, or do you still have to update react-dom-webpack/turbopack to 19.2. Secondary question, this seems to be a web pack/turbopack issue, does that mean Vite users are safe?? ... Vite users are not safe. The vulnerability exists in the React Flight implementation (the wire protocol for RSCs) that is shared across all RSC implementations.
Berkeley Security
security.berkeley.edu › news › critical-vulnerabilities-react-and-nextjs
Critical Vulnerabilities in React and Next.js | Information Security Office
A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, a core feature of the modern React 19 ecosystem.
Snyk
snyk.io › snyk vulnerability database › npm › react
react 19.2.4 vulnerabilities | Snyk
January 26, 2026 - 19.3.0-canary-fd524fe0-20251121 · 14 years ago · 2 months ago · MIT>=0.0.0-375616788 <0.8.0; >=15.6.2 <16.0.0-alpha; >=16.0.0 · View react package health on Snyk Advisor (opens in a new tab) Go back to all versions of this package · Report a new vulnerability Found a mistake?
Snyk
security.snyk.io › snyk vulnerability database › npm › react
react 19.1.0 vulnerabilities | Snyk
19.3.0-canary-fd524fe0-20251121 · 14 years ago · 1 months ago · MIT>=0.0.0-375616788 <0.8.0; >=15.6.2 <16.0.0-alpha; >=16.0.0 · View react package health on Snyk Advisor (opens in a new tab) Go back to all versions of this package · Report a new vulnerability Found a mistake?
Vercel
vercel.com › changelog › cve-2025-55182
Summary of CVE-2025-55182 - Vercel
Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following packages: :
Reddit
reddit.com › r/reactjs › react 19 rce vulnerability - can we stop pretending modern frameworks are automatically more secure?
r/reactjs on Reddit: React 19 RCE vulnerability - can we stop pretending modern frameworks are automatically more secure?
January 27, 2026 -
The React 19 RCE bug from December (CVE-2025-66478) is a good reminder that no framework is magically secure.
I keep seeing people say WordPress is insecure and moving to Next/React solves security problems. But like... React Server Components just had a critical remote code execution vulnerability. WordPress core is actually pretty solid, most security issues are from old plugins or bad hosting.
Security comes from keeping stuff updated, decent infrastructure, not installing random plugins/packages, and actually knowing what you're deploying. That's it.
The "WordPress bad, modern frameworks secure" thing is getting old when they all have vulnerabilities.
Curious if anyone else has clients who think switching stacks = better security? That conversation is always fun.
Top answer 1 of 5
14
Sir, this is a Wendy’s.
2 of 5
4
Frustratingly, if I understand the vulnerability, it should have been solved by something approaching a common ESLint rule about using `hasOwnProperty()` or `Object.hasOwn()` when building their custom stream token handler? Or using `Object.create(null)` for the storage object. Basically, critical functionality didn't cover common prototype vulnerabilities, likely because people just don't know them anymore.
Rankiteo Blog
blog.rankiteo.com › rea1775809531-react-vulnerability-april-2026
React: React Server Components Vulnerability Enables DoS Attacks
2 days ago - Review server-side rendering configurations ' 'for potential exposure.', 'references': [{'source': 'GitHub Security Advisory'}], 'response': {'communication_strategy': 'Public advisory by GitHub Security ' 'Advisory and React team', 'containment_measures': 'Patch released (versions 19.0.5, ' '19.1.6, 19.2.5)', 'remediation_measures': 'Upgrade to patched versions (19.0.5, ' '19.1.6, 19.2.5)'}, 'title': 'High-Severity DoS Vulnerability in React Server Components Exposes ' 'Web Apps to Attacks', 'type': 'Denial of Service (DoS)', 'vulnerability_exploited': 'CVE-2026-23869 (Deserialization of untrusted data ' '- CWE-502, Uncontrolled resource consumption - ' 'CWE-400)'}
GitHub
github.com › facebook › react › security › advisories › GHSA-83fc-fqcc-2hmg
Denial of Service Vulnerabilities in React Server Components
January 26, 2026 - 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 ... It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities ...
Google Cloud
cloud.google.com › blog › products › identity-security › responding-to-cve-2025-55182
Responding to CVE-2025-55182 | Google Cloud Blog
December 4, 2025 - Vulnerable versions: React 19.0, 19.1.0, 19.1.1, and 19.2.0
Snyk
snyk.io › snyk vulnerability database › npm › react
react 19.0.0 vulnerabilities | Snyk
19.3.0-canary-fd524fe0-20251121 · 14 years ago · 1 months ago · MIT>=0.0.0-375616788 <0.8.0; >=15.6.2 <16.0.0-alpha; >=16.0.0 · View react package health on Snyk Advisor (opens in a new tab) Go back to all versions of this package · Report a new vulnerability Found a mistake?
Vercel
vercel.com › kb › bulletin › security-bulletin-cve-2025-55184-and-cve-2025-55183
Security Bulletin: CVE-2025-55184 and CVE-2025-55183 | Vercel Knowledge Base
Following the React2Shell disclosure, ... vulnerabilities that require patching: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183)....